Categorized | happenings, the i.t. files

Must-learn lessons from the Twitter hack attack

Heading up business news this week was the hacker attack on Twitter, who made off with some 310 sensitive corporate documents. But the biggest news in this attack for the rest of us is how darn easy it was. In a must-read article on TechCrunch, Nik Cubrilovic interviewed the hacker and published a general outline of how the hacker managed to get so far into Twitter’s documents. (If you haven’t read this article, it should be on the top of your list since you and your business are also vulnerable.) Money quote:

Look at the front page of almost any web application and you will see hints at just how hopeless and helpless we are in managing our digital lives: “forgot my password”, “forgot my username”, “keep me logged in”, “do not keep me logged in”, “forgot my name”, “who am i?”. Features that were designed and built as a compromise since we are often unable to remember and recall a single four-digit PIN number, let alone a unique password for every application we ever sign up for. Each new service that a user signs up for creates a management overhead that collapses quickly into a common dirty habit of using simple passwords, everywhere. At that point, the security of that user’s entire online identity is only as strong as the weakest application they use – which often is to say, very weak.

Now going back to Hacker Croll and his list of Twitter employees and other information. Twitter just happens to be one of a number of a new breed of companies where almost the entire business exists online. Each of these employees, as part of their work, share data with other employees – be it through a feature of a particular application or simply through email. As these users become interwoven, it adds a whole new attack vector whereby the weak point in the chain is no longer just the weakest application – it is the weakest application used by the weakest user.

In our first edition of Shoestring Venture: The Startup Bible, we had orginally inserted an index on cloud computing security, but removed it for cost considerations. The big Twitter story this week has inspired us to dust off part of it and offer a few lessons you should have learned from Twitter’s clumsiness.

Use strong passwords
Names, telephone numbers, words, and hobbies are not just weak passwords, in the world of online computing, they don’t even deserve the name “password.” The strongest passwords consist of a nonsense string of characters at least 8 digits long that include all three of the following: letters, numbers, and special characters (like $, #, ^, %). Here’s a weak password: spock. Here’s a strong password: “1a9%pw*3″ Yes, it’s hard to memorize, but no-one is going to guess that password just by finding out easily available information about you.

Use different passwords
Use a different, strong password for every single online service you use. You should consider this an unbreakable rule for all services utilized by your business. But, if you’re smart, you’ll apply it to every online service you devote to personal use, as well. And never, ever use a business use password that is identical to a personal use password. Ever. (That, I’m sorry to say, is how the hacker got into Twitter.)

Lie on the security questions
Back in September, Sarah Palin had her Yahoo! mail account hacked because someone “guessed” the answer to one of her security questions. As Cubrolivic points out in his article, these security questions do not — I repeat, do not — increase the security of your online accounts, they significantly, whoppingly, overwhelmingly decrease their security. I never answer security questions truthfully. I either use random strings of numbers and digits or names they could not possibly associate with me.

Change your passwords
A rule more honored in the breech. But your passwords should reguarly change on both your personal and business Web services. How often? I change mine — all of them — every 30 days. Some experts say every 6 months, which is the password timout period of Web sites that demand you change your passwords regularly. So if you pick a period somewhere between those two, you’re probably doing alright. Certainly better than the nimnulls who use the same easy password on every account they have for years.

Manage your passwords
Face it, if you want to be secure, you have to follow the first four rules. And lest you end up locked out of every single service you subscribe to, you must manage those passwords. That means keeping both a soft and hard copy of the service, the password, and the security question answer. And backing it up. Offsite. Sure, it’s a lot more of a hassle than, say, using your telephone number. You have to go look up your password and copy and paste every time you want to log in to Facebook. But them’s the breaks.

Never automate the password process
You’ve seen it a million times. “Remember my password.” “Remember me.” It sure makes life easy to log in to your online service once and know that every time you return, BANG, the service just simply logs you in automatically. Or fills in your password for you. (You can also install software that will automate the password process even on sites that don’t allow it — believe it or not, TechCrunch has given two thumbs up to a couple of these, even though it’s one of the big winners in the bad idea department). If someone compromises your computer — either by making off with it or hacking into it — you’ve just handed away all your passwords.

Be Sociable, Share!

Leave a Reply

Shoestring Book Reviews

Shoestring Venture Reviews
Richard Hooker on Jim Blasingame

Shoestring Fans and Followers


Categories

Archives

Business Book: How to Start a Business

Shoestring Book

Shoestring Venture in iTunes Store

Shoestring Venture - Steve Monas & Richard Hooker

Shoestring Kindle Version # 1 for e-Commerce, # 1 for Small Business, # 1 for Startup 99 cents

Business Book – Shoestring Venture: The Startup Bible

Shoestring Book Reviews

Shoestring Venture Reviews

Invesp landing page optimization
Powered By Invesp
Wikio - Top Blogs - Business